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DETAILED ACTION 

01. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.1 14, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submissions filed on 
11/09/06 and 12/05/06 have been entered. 

Claim Rejections -35USC§112 

02. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or nnore claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention 

Claims 7, 14, 21 recite the limitation "if the signature generates a mismatch 

alert". There is insufficient antecedent basis for this limitation in the claim. It is believed 

claim 7 was intended to depend on claim 2, claim 14 was intended to depend on claim 

9, and claim 21 was intended to depend on claim 16, and has been treated as such for 

the remainder of this Office Action. Appropriate correction is required. 

05. Claims 1, 6 - 8, 13 - 15, 20 - 21 are rejected under 35 U.S.C. 101 because the 
claimed invention is directed to non-statutory subject matter. The claims lack a useful, 
concrete, and tangible result within the meaning of 35 USC 101. 
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The tangible requirement does not necessarily mean that a claim must either be 
tied to a particular machine or apparatus, or must operate to change articles or 
materials to a different state or thing. However, the tangible requirement does require 
that the claim must recite more than a 101 judicial exception, in that the process claim 
must set forth a practical application of that 101 judicial exception to produce a real- 
world result. Providing a benefit to the recipient if the recipient has performed the 
activity does not produce a real-world result and is clearly just an abstract idea. 
Therefore the claims do not provide a tangible result. 

The tangible requirement for claims 1, 8, and 15 is not met because of the 
outcome of the declared "if statement. In the event that a sjgnature is not located in a 
signature cache, there is no action leading to a tangible result. There is only action 
leading to a tangible result if a signature is located in a signature cache. Accordingly, 
these claims do not meet the tangible requirement and are non-statutory under 35 
U.S.C. 101. 

However, claims 2, 9, and 16 fix the deficiency of claims 1, 8, and 15 
(respectively). If independent claims 1, 8, and 15 were amended to include dependent 
claims 2, 9, and 16 (respectively), the tangible requirement under 35 U.S.C. 101 would 
be met. Coincidentally, this amendment would also overcome the 35 U.S.C. 112 
rejections. 

Claim Rejections - 35 USC § 103 
06. The following is a quotation of 35 U.S.C. 1 03(a) which foms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 

07. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1 , 148 
USPQ 459 (1966), that are applied for establishing a bacl<ground for determining 
obviousness under 35 U.S.C. 103(a) are summarized as follows: 

1 . Determining the scope and contents of the prior art. 

2. Ascertaining the differences between the prior art and the claims at issue. 

3. Resolving the level of ordinary skill in the pertinent art. 

4. Considering objective evidence present in the application indicating obviousness or 
nbnobviousness. 

08. Claims 1 - 3, 5 - 10, 12 - 17, and 19 - 21 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over ASP Alliance (Introduction to Validating User Input in Web 
Forms, December 29, 2003) in view of PBDR (SQL String Validation, June 24, 2003). 

Consider claim 1 , ASP Alliance clearly shows a method for using validation 
controls (read as query signatures to provide security for a database), comprising: 

when the user's input is being processed (for example, when the form is 
submitted) (read as receiving the query at the database) (page 1 lines 20-21), the page 
framework passes the user's entry to the appropriate validation control or controls (read 
as parsing the query at the database to detennine a signature for the query, wherein the 
signature specifies a structure based on operations for the query and is independent of 
the value of literals in the query) (page 1 lines 21-22). The validation controls test the 
user's input and set a property to indicate whether the entry passed the test (read as 
detemriining if the signature is located in a signature cache, which contains signature for 
valid queries) (page 1 lines 22-23). And would test the state of the validation controls 
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before updating a data record with information entered by the user. If you detect an 
invalid state, you bypass the update (read as if so, processing the query) (page 1 lines 
27-29). However, ASP Alliance does not specifically disclose that the signature is an 
SQL signature. 

PBDR clearly shows that a query signature coded. in ASP can be done through 
an SQL string (read as the signature is constructed from structured query language 
[SQL] keywords of the query) (page 1 lines 1 - 4, 33 - 34). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to combine the SQL string validation method taught by PBDR 
into the query string validation method taught by ASP Alliance for the purpose of 
allowing string validation procedures to work for multiple operating environments. 

Consider claim 2, and as applied to claim 1 above, ASP Alliance clearly shows 
a method such that if any validation checks fail (read as if the signature is not in the 
signature cache) (page 1 line 29), you skip all your own processing (read as the method 
further comprises triggering a mismatch alert) (page 1 lines 29-30). 

Consider claim 3, and as applied to claim 2 above, ASP Alliance clearly shows 
a method such that validation controls that detected errors then produce an error 
message that appears on the page (read as the mismatch alert throws an error) (page 1 
lines 30-31). 

Consider claim 5, and as applied to claim 2 above, ASP Alliance clearly shows 
a method such that if any validation checks fail, you skip all your own processing and 
the page is returned to the user (read as the mismatch alert is sent to a requesting 
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applications, thereby allowing the requesting application to take action) (page 1 lines 
29-30). 

Consider claim 6, and as applied to claim 1 above, ASP Alliance clearly shows 
a method such that when the user submits a form to the server, the validation controls 
are invoked to review the user's input, control by control (read as the signature cache is 
initialized by recording signatures of valid transactions during a system initialization 
operation) (page 2 lines 36-37) . 

Consider claim 7, and as applied to claim 2 above, ASP Alliance clearly shows 
a method such that if any validation checks fail (read as the signatures generates a 
mismatch alert) (page 1 line 19) you enable validation of user input by adding validation 
controls to your form as you would other server controls (read as if the query is a valid 
query, the method further comprises allowing a database administrator to add the 
signature to the signature cache) (page 1 line 16-17). 

Consider claim 8, ASP Alliance clearly shows a computer-readable storage 
medium storing instructions that when executed by a computer cause the computer to 
perform a method for using validation controls (read as query signatures to provide 
security for a database), comprising: 

when the user's input is being processed (for example, when the form is 
submitted) (read as receiving the query at the database) (page 1 lines i20-21), the page 
framework passes the user's entry to the appropriate validation control or controls (read 
as parsing the query at the database to determine a signature for the query, wherein the 
signature specifies a structure based on operations for the query and is independent of 
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the value of literals in the query) (page 1 lines 21-22). The validation controls test the 
user's input and set a property to indicate whether the entry passed the test (read as 
determining if the signature is located in a signature cache, which contains signature for 
valid queries) (page 1 lines 22-23). And would test the state of the validation controls 
before updating a data record with information entered by the user: If you detect an 
invalid state, you bypass the update (read as if so, processing the query) (page 1 lines 
27-29). However, ASP Alliance does not specifically disclose that the signature is an 
SQL signature. 

PBDR clearly shows that a query signature coded in ASP can be done through 
an SQL string (read as the signature is constructed from structured query language 
[SQL] keywords of the query) (page 1 lines 1 - 4, 33 - 34): 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to combine the SQL string validation computer-readable 
medium taught by PBDR into the query string validation computer-readable medium 
taught by ASP Alliance for the purpose of allowing string validation procedures to work 
for multiple operating environments. 

Consider claim 9, and as applied to claim 8 above, ASP Alliance clearly shows 
a computer-readable storage medium such that if any validation checks fail (read as if 
the signature is not in the signature cache) (page 1 line 29), you skip all your own 
processing (read as the method further comprises triggering a mismatch alert) (page 1 
lines 29-30). 
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Consider claim 10, and as applied to claim 9 above, ASP Alliance clearly 
shows a computer-readable storage medium such that validation controls that detected 
errors then produce an error message that appears on the page (read as the mismatch 
alert throws an error) (page 1 lines 30-31). 

Consider claim 12, and as applied to claim 9 above, ASP Alliance clearly 
shows a computer-readable storage medium such that if any validation checks fail, you 
skip all your own processing and the page is returned to the user (read as the mismatch 
alert is sent to a requesting applications, thereby allowing the requesting application to 
take action) (page 1 lines 29-30). 

Consider claim 13, and as applied to claim 8 above, ASP Alliance clearly 
shows a computer-readable storage medium such that when the user submits a form to 
the server, the validation controls are invoked to review the user's input, control by 
control (read as the signature cache is initialized by recording signatures of valid 
transactions during a system initialization operation) (page 2 lines 36-37). 

Consider claim 14, and as applied to claim 9 above, ASP Alliance clearly 
shows a computer-readable storage medium such that if any validation checks fail (read 
as the signatures generates a mismatch alert) (page 1 line 29) you enable validation of 
user input by adding validation controls to your form as you would other server controls 
(read as if the query is a valid query, the method further comprises allowing a database 
administrator to add the signature to the signature cache) (page 1 lines 16-17). 

Consider claim 15, ASP Alliance clearly shows an apparatus for using validation 
controls (read as query signatures to provide security for a database), comprising: 
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. when the user's input is being processed (for example, when the form is 
submitted) (read as receiving the query at the database) (page 1 lines 20-21), the page 
framework passes the user's entry to the appropriate validation control or controls (read 
as parsing the query at the database to detemnine a signature for the query, wherein the 
signature specifies a structure based on operations for the query and is independent of 
the value of literals in the query) (page 1 lines 21-22). The validation controls test the 
user's input and set a property to indicate whether the entry passed the test (read as 
detemiining if the signature is located in a signature cache, which contains signature for 
valid queries) (page 1 lines 22-23). And would test the state of the validation controls 
before updating a data record with information entered by the user. If you detect an 
invalid state, you bypass the update (read as if so, processing the query) (page 1 lines 
27-29). However, ASP Alliance does not specifically disclose that the signature is an 
SQL signature. 

PBDR clearly shows that a query signature coded in ASP can be done through 
an SQL string (read as the signature is constructed from structured query language 
[SQL] keywords of the query) (page 1 lines 1 - 4, 33 - 34). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to combine the SQL string validation apparatus taught by 
PBDR Into the query string validation apparatus taught by ASP Alliance for the purpose 
of allowing string validation procedures to work for multiple operating environments. 

Consider claim 16, and as applied to claim 15 above, ASP Alliance clearly 
shows an apparatus such that if any validation checks fail (read as if the signature is not 
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in the signature cache) (page 1 line 29), you skip all your own processing (read as the 
method further comprises triggering a mismatch alert) (page 1 lines 29-30). 

Consider claim 17, and as applied to claim 16 above, ASP Alliance clearly 
shows an apparatus such that validation controls that detected errors then produce an 
error message that appears on the page (read as the mismatch alert throws an error) 
(page 1 lines 30-31). 

Consider claim 19, and as applied to claim 16 above, ASP Alliance clearly 
shows an apparatus such that if any validation checks fail, you skip all your own 
processing and the page is returned to the user (read as the mismatch alert is sent to a 
requesting applications, thereby allowing the requesting application to take action) 
(page 1 lines 29-30). 

Consider claim 20, and as applied to claim 15 above, ASP Alliance clearly 
shows an apparatus such that when the user submits a form to the server, the validation 
controls are invoked to review the user's input, control by control (read as the signature 
cache is initialized by recording signatures of valid transactions during a system 
initialization operation) (page 2 lines 36-37) . 

Consider claim 21, and as applied to claim 16 above, ASP Alliance clearly 
shows an apparatus such that if any validation checks fail (read as the signatures 
generates a mismatch alert) you enable validation of user input by adding validation 
controls to your form as you would other server controls (read as if the query is a valid 
query, the method further comprises allowing a database administrator to add the 
signature to the signature cache) (page 1 , lines 29, 16-17). 
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09. Claims 4, 11, and 18 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over ASP Alliance (Introduction to Validating User Input in Web Foms, December 29, 
2003) in view of PBDR (SQL String Validation, June 24, 2003) in further view of The 
PHP Group (Error Handling and Logging Functions, November 27, 2003). 

Consider claim 4, and as applied to claim 1 above, ASP Alliance, as modified 
by PBDR, clearly show the claimed invention except for that a mismatch alert is sent to 
a database administrator. 

The PHP Group clearly shows an example of using the error handling capabilities 
to define an error handling function, which logs the information into a file and e-mails the 
developer in case a critical error in logic happens (read as the mismatch alert is sent to 
a database administrator and the query is processed) (page 7 lines 5-6). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to combine the error handling capability taught by The PHP 
Group into the method of using query signatures taught by ASP Alliance, as modified by 
PBDR, for the purpose of allowing an administrator to monitor errors being entered into 
the database. 

Consider claim 11 , and as applied to claim 8 above, ASP Alliance, as modified 
by PBDR, clearly show the claimed invention except for that a mismatch alert is sent to 
a database administrator. 

The PHP Group clearly shows an example of using the error handling capabilities 
to define an error handling function, which logs the information into a file and e-mails the 



Application/Control Number: 10/800,315 Page 12 

Art Unit: 2169 

developer in case a critical error in logic happens (read as the mismatch alert is sent to 
a database administrator and the query is processed) (page 7 lines 5-6). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to combine the error handling capability taught by The PHP 
Group into the use of query signatures taught by ASP Alliance, as modified by PBDR, 
for the purpose of allowing an administrator to monitor errors being entered into the 
database. 

Consider claim 18, and as applied to claim 15 above, ASP Alliance, as 
modified by PBDR, clearly show the claimed invention except for that a mismatch alert 
is sent to a database administrator. 

The PHP Group clearly shows an example of using the error handling capabilities 
to define an error handling function, which logs the information into a file and e-mails the 
developer in case a critical error in logic happens (read as the mismatch alert is sent to 
a database administrator and the query is processed) (page 7 lines 5-6). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to combine the error handling capability taught by The PHP 
Group, into the use of query signatures taught by ASP Alliance, as modified by PBDR, 
for the purpose of allowing an administrator to monitor errors being entered into the 
database. 
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Response To Arguments 

1 0. Applicant's arguments files on 1 1/09/06 have been fully considered , but they are 
not persuasive. The examiner respectfully traverses applicant's arguments. 

Applicant argued that ASP "does not teach using signatures to detect structured 
query language (SQL) injection" and is "limited to web-applications". Examiner agrees 
that ASP is deficient In teaching this, however, as per the Office Action, PDBR discloses 
this. PDBR specifically teaches using SQL validation on a query, and that it can take 
place at a database. 

Applicant argued that PDBR teaches validating a string to identify invalid 
characters and not "creating and validating a signature". Examiner agrees that PDBR is 
deficient in teaching this, however, as per the Office Action, ASP discloses this. ASP 
teaches using validation controls to provide for all types of standard validation, as well 
as custom-written validation. These validation controls are used to ensure that only 
appropriate queries are processed. 

Applicant has amended claims 1, 8, and 15 to clarify that the invention parses the 
query at the database. However, ASP teaches that the validation controls can take 
place at the client and/or the server. 

Conclusion 

1 1 . Any response to this Office Action should be faxed to (571 ) 273-8300 or mailed 
to: 



Commissioner for Patents 
P.O. Box 1450 
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Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulany Street 
Alexandria, VA 22314 

12. Any inquiry concerning this communication or earlier communications from the 
Examiner should be directed to Christopher Raab whose telephone number is (571) 
270-1090. The Examiner can normally be reached on Monday-Thursday from 7:30am to 
5:00pm. 

If attempts to reach the Examiner by telephone are unsuccessful, the Examiner's 
supervisor, Christian Chace can be reached on (571) 272-4190. The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
Information for unpublished applications is availaible through Private PAIR only. l=;or 
more information about the PAIR system, see http://pair-dlrect.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free) or 703-305-3028. 
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Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist/customer service whose telephone 
number is (571) 272-2600. 



Christopher Raab 
C.R./cr 

January 115/2007 



